By moving to Microsoft’s Office 365 online, you have immediate access to a platform that can meet a majority of your HIPAA compliance data needs. But as you may guess, it doesn’t end there, and it’s not that simple. However, it’s not that scary either!
Understanding the business case for using Office 365 tools will help you choose the correct licensing to protect PHI (Protected Health Information). Microsoft recommends the following licensing for healthcare practices:
-Enterprise E3 ($20.00 user/month) licenses
-Enterprise E5 ($35.00 user/month) licenses
-Business Premium ($12.50 user/month) plus AIP Plan 1 ($2.00 user/month) if you have fewer than 300 employees.
For simplicity sake, we will focus on E3 as the most common healthcare practice business and HIPAA requirements are met with the E3 license.
First off, all data at rest (data that is being stored, not being accessed or sent) within O365 is encrypted. Where it gets tricky is in how data and information are transported. The E3 license includes AIP (Azure Information Protection) Plan 1, which is also known as Azure Rights Management. AIP keeps email and messages encrypted in transit. The E3 license also includes SharePoint Plan 2 which has DLP (Data Loss Prevention) policies. DLP allows you to put policies in place to prevent SharePoint information from being shared outside the organization.
In addition to choosing licenses, there are other steps that Microsoft suggests you take. One step relates to Business Associate Agreements. Automatically, the BAA with Microsoft is available for every O365 customer and is included as part of the terms when you sign up for the service. What you can do further to protect your practice is to email MSOHIPAA@microsoft.com and designate someone at your practice as the HIPAA Administrative Contact. This person is notified in the event of a security breach that could potentially involve PHI.
The resources and tools available from Office 365 can be a great way to extend the security of PHI data that is not housed within your EHR platform. With the right Microsoft partner consulting and customizing the platform, this security can extend to the PHI that leaves and enters your EHR.
No technology alone is enough to be HIPAA compliant. Additional steps, beyond the information stated above, are required to be HIPAA compliant. Some additional requirements may include:
-Excluding PHI in subject lines
-Including two factor authentication
-Having correct security configurations
Just to name a few.
Microsoft’s Office 365 does not by itself guarantee HIPAA compliance; it is one facet of HIPAA compliance. Your healthcare practice should also have processes, policies, and training in place that ensures your staff do not use Office 365 in a way that violates HIPPA.